MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 e8fc104848a0052d2fedd753bd7e70f9cd3d81d286cf9a85c67f1cd604c74996. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

DanaBot

Vendor detections: 11

Intelligence 11 IOCs YARA File information Comments

SHA256 hash:	e8fc104848a0052d2fedd753bd7e70f9cd3d81d286cf9a85c67f1cd604c74996
SHA3-384 hash:	847cc16150f3334bc3cf471213b6f202ec96b1e9e98e205376c948965bb858357600df8cee8cd731f745846a15cc12d6
SHA1 hash:	e97ebb45cd4acc8d84b603fe133a0b54e3067376
MD5 hash:	4b92e211198e39a18bc6c86147e28963
humanhash:	mirror-aspen-william-kansas
File name:	4b92e211198e39a18bc6c86147e28963.exe
Download:	download sample
Signature	DanaBot Create hunting rule
File size:	1'821'184 bytes
First seen:	2021-11-15 09:04:32 UTC
Last seen:	Never
File type:	exe
MIME type:	application/x-dosexec
imphash	804abf6bfd1eb86d699699dd471c7b89 (10 x RaccoonStealer, 4 x RedLineStealer, 2 x Loki)
ssdeep	49152:+h6WP+xERjrOqFtmrX97h4JJqgwoM7Hr0+CqKf84Q:e60+xERjKqFort7GagJOnK3Q
Threatray	7'285 similar samples on MalwareBazaar
TLSH	T1518523C5A2A19877D1193F319A028AA3227BFC22D5345502B7F9EB5E3E333D09582F57
File icon (PE):
dhash icon	fcfcd4d4d4d4d8c0 (75 x RedLineStealer, 56 x RaccoonStealer, 23 x Smoke Loader)
Reporter	abuse_ch
Tags:	DanaBot exe

Intelligence

File Origin

# of uploads :

# of downloads :

418

Origin country :

n/a

Vendor Threat Intelligence

Detection:

DanaBot

Link:

https://www.capesandbox.com/analysis/205837/

Detection(s):

Win.Packed.Fragtor-9908420-0

Win.Packed.Fragtor-9908933-0

Win.Packed.Generic-9908949-0

Win.Dropper.Fragtor-9909325-0

Result

Verdict:

Suspicious

Maliciousness:

Behaviour

Creating a file

Enabling the 'hidden' option for recently created files

Sending a UDP request

Launching a process

Creating a process with a hidden window

Verdict:

Suspicious

Threat level:

5/10

Confidence:

100%

Tags:

greyware packed

Link:

https://www.filescan.io/uploads/619222c4dec3347825a5081b/reports/ab378ac5-7894-4776-9a0d-ee0613c6d620/overview

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Generic Malware

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/f1e0b6c2-ff63-4910-ada2-7d7ffbe9f742

Result

Threat name:

DanaBot

Detection:

malicious

Classification:

troj.evad

Score:

96 / 100

Link:

https://www.joesandbox.com/analysis/889318

Signature

C2 URLs / IPs found in malware configuration

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Machine Learning detection for sample

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected DanaBot stealer dll

Behaviour

Behavior Graph:

Download SVG

Detection:

n/a

Link:

https://mwdb.cert.pl/sample/e8fc104848a0052d2fedd753bd7e70f9cd3d81d286cf9a85c67f1cd604c74996/

Threat name:

Win32.Ransomware.StopCrypt

Status:

Malicious

First seen:

2021-11-15 09:05:08 UTC

AV detection:

25 of 28 (89.29%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=5d6basciuacs2l7n25j327tq7hgt3aosq3hzvbogp4onmbghjgla._file

Verdict:

malicious

DanaBot

18ae9ea1c1d71b33777c8772248580f17a2bcecf1aa0e8f71ec15d4b33d5253b

DanaBot

4e19a6c2fb2fd245e5c2097ff4d91aa86c4f49aaa4fbdab4cae046e3e02d0e52

DanaBot

8d2fc9db7c9f5dcf80faef24bf99af1a4553007d810981fef4026f3fce02a945

DanaBot

a5437c7d1711d9ef40881b429e3b308c5e3d6b94da15aa1b20f5c64ecbe49848

DanaBot

ba58e003883e6ef7e4e1b5289fc201a8e5eaeec85fe2f3809e68aad8439066ae

DanaBot

c0c908fdb5c67cd4ab56ab911320adaf68e4bc9a230a4a04eaf2cf6ae92443f4

DanaBot

f8f1569945e8adb87cb91509db4129d64a878863a347dbea1b21b70e1a21f973

DanaBot

+ 7'275 additional samples on MalwareBazaar

Result

Malware family:

danabot

Score:

10/10

Tags:

family:danabot banker trojan

Link:

https://tria.ge/reports/211115-k17nkshga4/

Behaviour

Suspicious use of WriteProcessMemory

Loads dropped DLL

Danabot

Danabot Loader Component

Malware Config

C2 Extraction:

192.119.110.73:443
192.236.147.206:443
192.236.192.201:443

Unpacked files

SH256 hash:

b1025f8a03e240feb7cef4271604675d321981bca2c540842acc58b56b78ce93

MD5 hash:

dcb73fe4b643297120447105702e2cae

SHA1 hash:

cc1518df098cb6b1309f3dfaafcc874f42ce4d0f

Link:

https://www.unpac.me/results/febcaa32-9036-4a3c-be26-b573b9f8f4f5/

SH256 hash:

7874e7a172eafa918e807a71e43927b648ba128473b39dccf007ea4f696bade7

MD5 hash:

01a3f739fc9d49446ecee793c46353ee

SHA1 hash:

5a6069d76948f4c0b41a7e1f1eaed26d8b1fb16a

Link:

https://www.unpac.me/results/febcaa32-9036-4a3c-be26-b573b9f8f4f5/

SH256 hash:

e8fc104848a0052d2fedd753bd7e70f9cd3d81d286cf9a85c67f1cd604c74996

MD5 hash:

4b92e211198e39a18bc6c86147e28963

SHA1 hash:

e97ebb45cd4acc8d84b603fe133a0b54e3067376

Link:

https://www.unpac.me/results/febcaa32-9036-4a3c-be26-b573b9f8f4f5/

Please note that we are no longer able to provide a coverage score for Virus Total.

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

DanaBot

exe e8fc104848a0052d2fedd753bd7e70f9cd3d81d286cf9a85c67f1cd604c74996

(this sample)

Cape

https://www.capesandbox.com/analysis/205837/

URLhaus

https://urlhaus.abuse.ch/url/1772785/

Delivery method

Distributed via web download

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample